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A SYSTEM AND METHOD FOR SAFELY EXECUTING 
DOWNLOADED CODE ON A COMPUTER SYSTEM 



FIELD OF THE INVENTION- 
5 The present invention relates to the field of computer security and more 

specifically, embodiments of the present invention relate to making it safe to 
execute downloaded code. 

BACKGROUND OF THE INVENTION- 
10 The Internet has had a major impact on the way business is done. 

Few businesses would want to disconnect themselves from the Internet, but 
the current proliferation of active web pages is making it easier for hackers to 
penetrate systems. 

15 It is possible to specify a fine-grained access policy. For example, the 

Java 1 .2 specification allows a user to limit the access permission to files 
depending on the source of the applet. Unfortunately, this security depends 
on the applet being run through the Java byte code interpreter. Thus, these 
controls are not enforceable for native code, code written in languages such 

20 as C, C++, and Visual Basic, as often found in ActiveX controls. 

One approach to providing the same kind of fine-grained control similar 
to the Java 1 .2 specification is to modify the library commands used to access 
the resource to be protected. For example, to limit access to files, one could 
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modify the file access library. Unfortunately, applications are currently not 
required to link with the modified library. 

Unfortunately, there is currently no way to force an application to link 
5 with the modified library. A malicious hacker could write an ActiveX control 
that calls the operating system kernel directly or could statically link the code 
with a version of the library that doesn't enforce security. 
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SUMMARY OF THE INVENTION 

Embodiments of the present invention include a system and method for 
making it safe to execute downloaded code. The method includes accessing 

5 an application process, the application process making a system call to a 
library of a computer system for a resource, establishing a requesting thread. 
The method further includes the library sending a request message to a local 
security filter; the local security filter validating the requesting thread and 
returning a digital signature, that uniquely identifies the requesting thread, to 

10 the application process. The application process making a system call to a 
kernel of the computer system wherein the kernel uses the digital signature 
from the security filter to validate the source of the requesting thread before 
allowing access to the requested resource. 
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BRIEF DESCRIPTION OF THE DRAWINGS- 



The above and other objects and advantages of the present invention 
will be more readily appreciated from the following detailed description when 
5 read in conjunction with the accompanying drawings, wherein: 

Figure 1 is a block diagram of an exemplary computer system 
comprising a security filter that generates a digital signature corresponding to 
a resource request and returns the digital signature to a local library in 
10 accordance with embodiments of the present invention. 

Figure 2 is a block diagram of an exemplary system comprising a 
security filter that generates a digital signature corresponding to a resource 
request and stores the digital signature in a table in accordance with 
15 embodiments of the present invention. 

Figure 3 is a data flow diagram of an exemplary process for making it 
safe to execute downloaded code in accordance with embodiments of the 
present invention. 

20 

Figure 4 is a data flow diagram of an exemplary process for 
determining the source of a resource request in accordance with 
embodiments of the present invention. 
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Figure 5 is a block diagram of an exemplary computer system in 
accordance with embodiments of the present invention. 
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DETAILED DESCRIPTION OF THE INVENTION 

Reference will now be made in detail to embodiments of the present 
invention, a system and method for making it safe to execute downloaded 
5 code, examples of which are illustrated in the accompanying drawings. While 
the invention will be described in conjunction with the preferred embodiments, 
it will be understood that they are not intended to limit the invention to these 
embodiments. On the contrary, the invention is intended to cover alternatives, 
modifications and equivalents, which may be included within the spirit and 
10 scope of the invention as defined by the appended claims. 

Furthermore, in the following detailed description of the present 
invention, numerous specific details are set forth in order to provide a 
thorough understanding of the present invention. However, it will be 
15 recognized by one of ordinary skill in the art that the present invention may be 
practiced without these specific details. In other instances, well known 
methods, procedures, components, and circuits have not been described in 
detail as not to unnecessarily obscure aspects of the present invention. 

20 When a computer system accesses a web page, the computer system 

is put at risk if software is downloaded. Even if a computer system is modified 
so that the downloaded application accesses system resources through a 
local library, there is not an easy way to prevent the application from making 
calls directly to the operating system kernel and bypassing the local libraries. 
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Embodiments of the present invention ensure that any downloaded 
application that attempts to bypass the local machine's libraries will fail. 



There are many ways to catch system calls to the kernel. However, 
5 most require changes to the kernel ranging from modest to heroic and some 
require changes to the applications or the libraries they call. Embodiments of 
the present invention require only a small change to the kernel, and it protects 
against malicious applications that do not follow conventional rules for 
applications and libraries. The present invention allows the kernel to 
10 determine if a resource request went through the local libraries or not. If the 
resource request passes through the local libraries and the operation is 
allowed, the kernel will allow access to the requested resource. If the 
resource request bypasses the local libraries, the kernel will deny the 
resource request. 

15 

Embodiments of the present invention provide a library that guards 
access to the operating system and enforces a specified security policy for all 
physical resources on the system. For example, embodiments of the present 
invention can be used to check every attempt to open a file against a list of 
20 files that may be seen by the application. Embodiments of the invention 

enforce security policies such that all accesses to the file system go through 
this library. The present invention assigns a unique digital signature to valid 
resource requests that pass through the local library to notify the kernel that 
the resource did, in fact, pass through the local library (e.g., security filter). 
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Embodiments of the present invention include a security policy that 
limits the damage a malicious application process could do to a computer 
system if downloaded and executed. For example, the security policy could 
5 prevent application processes from reading the local hard drive and could limit 
write operations to a specific directory. For example, the security policy could 
insure that any code running in a web browser can only write to a specific 
directory and cannot read the hard drive. In one embodiment of the invention, 
modifying the local library creates the security policy. In one embodiment of 
10 the invention, the local library is an ntdll.dll library. 

Figure 1 is a block diagram of an exemplary computer system 100 for 
making it safe to execute downloaded code in accordance with embodiments 
of the present invention. System 100 comprises an un-secure application 
15 process 110 and an associated local library 115. For example, application 
process 110 could be an applet, java script, an activeX control or any other 
executable command. In one embodiment of the invention, the application 
process 1 10 is downloaded from the Internet via a web browser application. 
In one embodiment of the invention, local library 1 15 is an ntdll.dll library. 

20 

System 100 also comprises a security filter 120. In one embodiment of 
the invention, local library 115 is modified to include security filter 120 and 
secret 125. The security filter application can be configured to limit read and 
write operations for many different application processes. To make sure that 
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malicious processes do not bypass the security filter, the security filter 1 20 
comprises secret 125 that can be used to generate a unique digital signature 
for individual resource requests of requesting threads made by the application 
process 110. In one embodiment of the invention, the secret 1 25 can be 
5 shared with the operating system (OS) kernel 130. 



In one embodiment of the invention, the local library 1 15 can be 
modified such that legitimate resource requests made by the application 
process 1 10 are sent through the security filter 120 before being routed to the 

10 operating system (OS) kernel 130. The resource request 145 is routed to the 
security filter 120 so that the security filter 120 can generate a first unique 
digital signature 140 for verifying that the resource request was passed 
through the local library 115. In one embodiment of the invention, the security 
filter 120 generates a validation key that validates both the requesting thread 

15 ID and the actual resource request of the requesting thread. 



In this embodiment of the invention, the kernel 130 is also modified 
such that it too shares secret 1 25 with the security filter 1 20. By sharing the 
secret 125, the system kernel can verify that the security filter signed the 
20 request. If the request is properly signed, the resource request can be 

processed. If the request not is properly signed, it can be determined that the 
resource request did not pass through the local library 115 and the resource 
request will be denied. In this embodiment of the invention, the operating 
system kernel 130 can tell the difference between system calls that come 
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from the modified library and ones that bypass the modified library, thus 
making it safe to execute downloaded code because the downloaded code 
must pass through the security filter and only authorized requests will be 
properly signed. In one embodiment of the invention, the system kernel 130 

5 computes its own validation key and compares it to a stored value generated 
by the security filter 120. If the two validation keys match, the request can be 
processed. If the two validation keys do not match, the request is denied. 
This embodiment is used as an example, but it is appreciated that variations 
for validating the request can be used. For example, the kernel 130 could 

10 validate the signature (validation key) without computing a second digital 
signature. 



Figure 2 is a block diagram of an exemplary system 200 for making it 
safe to execute downloaded code in accordance with embodiments of the 

15 present invention. System 200 is slightly different from system 100 of Figure 
1 . System 200 further includes a stored value 269 generated by the security 
filter 120 and a digital signature hash table 235 for storing digital signatures 
generated by the OS kernel 130. By storing the digital signature in hash table 
235, the key is not passed while it is valid. Alternatively, the kernel accesses 

20 the stored digital signature and compares the stored signature to one it 

generates upon receiving the resource request. As stated above, the digital 
signature can be validated without the OS kernel 130 computing a second 
digital signature. This embodiment is used only as an example to facilitate 
describing the invention. The OS needs to validate that the request and 
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requesting thread have passed through the security filter and were approved 
by the security filter. Computing digital signatures at the security filter and at 
the OS kernel is only one way to accomplish this. 

Figure 3 is a data flow diagram of an exemplary process 300 for 
making it safe to execute downloaded code in accordance with embodiments 
of the present invention. Step 301 is accessing an application process. In 
one embodiment of the invention, the application process is downloaded 
using a web browser application. 

In step 303, the application process makes a system call to the local 
library requesting a resource, establishing a requesting thread. In one 
embodiment of the invention, the requesting thread comprises information 
necessary to uniquely identify it from other requesting threads. In one 
embodiment of the invention, a multiprocessor computer system can be 
utilized and in this embodiment, requesting threads can be uniquely identified. 

In step 305, the library sends a request message to the security filter. 
In one embodiment of the invention, the security filter is running in a separate 
address space from the application (e.g., separate processes). When the 
application calls the kernel via the locally installed library, some internal 
processing may be done. However, in one embodiment of the invention, the 
request message can be sent directly from the application. 
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In step 307, the security filter validates the requesting thread and its 
request (e.g., determines if the requested resource access is allowed by this 
thread), and returns a unique digital signature for the request made by this 
thread to the application process. In one embodiment of the invention, the 
unique digital signature can only be used for the exact command specified by 
the requesting thread. In another embodiment, the unique digital signature 
can be used only for one time. 

In step 309, the application process makes a system call to the OS 
kernel. In this step, the digital signature can be sent in the system call to the 
kernel. The kernel then uses the same secret that the security filter used to 
generate the first digital signature to validate the origin and contents of the 
system call. If the system call was routed from the local library (e.g., security 
filter) the kernel be able to verify the digital signature generated by the 
security filter. In one embodiment of the invention, the secret used to digitally 
sign the requesting thread is a one-way function (e.g., trap door function). 

Figure 4 is a data flow diagram of an exemplary process 400 for 
determining the source of a resource request in accordance with 
embodiments of the present invention. 

In step 401 , a resource request associated with an application is 
accessed. As stated above, the resource request can be in response to code 
downloaded, e.g., from the Internet. 
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In step 403, the resource request is routed to a security filter. In one 
embodiment of the invention, the security filter comprises a secret used for 
generating a secure digital signature. In another embodiment of the invention, 
5 the security filter is loaded into an address that the application does not have 
access to. In this embodiment, the secret may not be needed because the 
security rules cannot be modified by the application. In this embodiment of 
the invention, the kernel can determine if the resource is allowed based on the 
address of the request. 

10 

In step 405, the security filter validates the resource request and if it is 
allowed, the security filter generates a first check value (e.g., digital signature) 
associated with the resource request using the validation secret. In one 
embodiment of the invention, the check value is stored in a hash table. In 
15 another embodiment of the invention, the digital signature is routed back to 
the application process associated with the resource request. 

In step 407, the resource request is routed to the system kernel. In 
one embodiment of the invention, the system kernel validates the resource 
20 request by examining the address of the resource request. In another 
embodiment of the invention, the system kernel validates the resource 
request by generating a second check value using the same secret used to 
generate the first check value. The kernel then compares the first check 
value to the second check value. 
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In step 410, the kernel allows access to the requested resource if the 
first check value and the second check value match. Moreover, the kernel 
denies access to the requested resource if the first check value does not 
5 match the second check value. In another embodiment of the invention, the 
kernel allows access to the requested resource if the requesting thread is 
associated with a virtual address approved by the security filter. In addition, 
the kernel will deny access to the requested resource if the requesting thread 
is associated with an address that is not approved by the security filter. 

10 

In one embodiment of the invention, if it is not possible for application 
code to execute once the standard library has been entered, the security code 
can be linked as part of the application. In this embodiment, a linker can 
report to the kernel the address of a specific instruction in the security code. 
15 When the kernel is accessed from this address, it produces a key. The 
security filter then does its security checks. If the access is allowed, the 
kernel can validate that the parameters of the call are those reported when 
the security filter was entered. In one embodiment of the invention, once a 
key is used, it becomes invalid. 

20 

On a multiprocessor computer system, one thread may attempt to read 
the live key of another thread. In one embodiment of the invention, any 
request made by one thread using the key of another thread will be rejected. 
One thread may read the key from another thread and pass it back to the 

14 



10980964-1 

thread owning the key, but the thread will not have an opportunity to use the 
key before it expires. 



Referring now to Figure 5, a block diagram of exemplary computer 
5 system 500 is shown. It is appreciated that computer system 500 of Figure 5 
described herein illustrates an exemplary configuration of an operational 
platform upon which embodiments of the present invention can be 
implemented. Nevertheless, other computer systems with differing 
configurations can also be used in place of computer system 500 within the 
10 scope of the present invention. For example, computer system 500 could be 
a server system, a personal computer or an embedded computer system such 
as a mobile telephone or pager system. Furthermore, computer system 500 
could be a multiprocessor computer system. 

15 Computer system 500 includes an address/data bus 501 for 

communicating information, a central processor 502 coupled with bus 501 for 
processing information and instructions, a volatile memory unit 503 (e.g., 
random access memory, static RAM, dynamic RAM, etc.) coupled with bus 
501 for storing information and instructions for central processor 502 and a 

20 non-volatile memory unit 504 (e.g., read only memory, programmable ROM, 
flash memory, EPROM, EEPROM, etc.) coupled with bus 501 for storing 
static information and instructions for processor 502. Computer system 500 
may also contain an optional display device 506 coupled to bus 501 for 
displaying information to the computer user. Moreover, computer system 500 
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also includes a data storage device 505 (e.g., disk drive) for storing 
information and instructions. 



Also included in computer system 500 of Figure 5 is an optional 
5 alphanumeric input device 507. Device 507 can communicate information 
and command selections to central processor 502. Computer system 500 
also includes an optional cursor control or directing device 508 coupled to bus 
501 for communicating user input information and command selections to 
central processor 502. Computer system 500 also includes signal 
10 communication interface 509, which is also coupled to bus 501 , and can be a 
serial port. Communication interface 509 can also include number of wireless 
communication mechanisms such as infrared or a Bluetooth protocol. 

Embodiments of the present invention, a system and method for 
15 making it safe to execute downloaded code have been described. While the 
present invention has been described in particular embodiments, it should be 
appreciated that the present invention should not be construed as limited by 
such embodiments, but rather construed according to the following Claims. 

20 The foregoing descriptions of specific embodiments of the present 

invention have been presented for purposes of illustration and description. 
They are not intended to be exhaustive or to limit the invention to the precise 
forms disclosed, and obviously many modifications and variations are 
possible in light of the above teaching. The embodiments were chosen and 
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described in order to best explain the principles of the invention and it's 
practical application, to thereby enable others skilled in the art to best utilize 
the invention and various embodiments with various modifications as are 
suited to the particular use contemplated. It is intended that the scope of the 
5 invention be defined by the Claims appended hereto and their equivalents. 
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